felleslosninger / efm-asic Goto Github PK

We have an application run with Spring Boot 3 / Spring Framework 6, that uses the new jakarta.xml... packages.

The asic-Library still requires the old javax.xml... packages. It runs only if we install the old library next to the new ones thus duplicating the size of the bundles jaxb libraries.

In addition to that, even new versions of jaxb-impl do not work, the last version, I was able to use the library with, is 2.4.0-b180830.0438 – a version that is 4 1/2 years old.

Hi.

Could you please make a new release with the changes since 0.9.3?
The keyStoreType is a nice change 👍

Thanks

While unmarshaling ACiCManifest object, websphere as throws this exception:

Caused by: javax.xml.bind.UnmarshalException: Unexpected element "{http://uri.etsi.org/02918/v1.2.1#}ASiCManifest". Expected elements are "".
	at com.ibm.xml.xlxp2.jaxb.msg.JAXBMessageProvider.throwUnmarshalExceptionWrapper(JAXBMessageProvider.java:93)
	at com.ibm.xml.xlxp2.jaxb.unmarshal.impl.DeserializationContext.handleSkippedRootElementEvent(DeserializationContext.java:341)
	at com.ibm.xml.xlxp2.jaxb.unmarshal.impl.JAXBDocumentScanner.produceRootElementEvent(JAXBDocumentScanner.java:189)
	at com.ibm.xml.xlxp2.scan.DocumentScanner.scanRootElement(DocumentScanner.java:2241)
	at com.ibm.xml.xlxp2.scan.DocumentScanner.scanProlog(DocumentScanner.java:1733)
	at com.ibm.xml.xlxp2.scan.DocumentScanner.nextEvent(DocumentScanner.java:1323)
	at com.ibm.xml.xlxp2.scan.DocumentScanner.parseDocumentEntity(DocumentScanner.java:1175)
	at com.ibm.xml.xlxp2.jaxb.unmarshal.impl.JAXBDocumentScanner.unmarshal(JAXBDocumentScanner.java:125)
	at com.ibm.xml.xlxp2.jaxb.unmarshal.UnmarshallerImpl.unmarshal(UnmarshallerImpl.java:107)
	at no.difi.asic.CadesAsicManifest.extractAndVerify(CadesAsicManifest.java:107)

Problem is with initializing JAXBContext for IBM unmarshaler. It can be solved with initialization with package. like this:

static {
        try {
            String manifestTypeClassName = ASiCManifestType.class.getCanonicalName();
            jaxbContext = JAXBContext.newInstance(manifestTypeClassName.substring(0, manifestTypeClassName.lastIndexOf(".")));
        } catch (JAXBException e) {
            throw new IllegalStateException(String.format("Unable to create JAXBContext: %s ", e.getMessage()), e);
        }
    }

It works for IBM and java8 sun implementation of Unmarshaler.

Can you fix this?

Thanks

Hi

1. When encrypting the payload before zip'ing it, the resulting asic archive will not be compressed as much as possible because encryption makes the file binary. It is better to create the ASIC archive without encrypted files inside, and then encrypt the resulting zip file. The resulting encrypted archive will most likely be much smaller!

2. Encryption algorithm. Using AES-GCM is not "good". Why? For example, if using OpenSSL to create the encrypted file (PKCS7), AES256 GCM is not supported by OpenSSL commandline. So it will not be possible to create an encrypted ASIC file without coding. Creating a ASIC archive should be simple to implement on different platforms.. Not necessary having Java as an option. I suggest to use AES-256 CBC instead. That way, Creating an encrypted archive can be scripted on platforms that have OpenSSL.

The rules dictate that ASiCManifest.xml should be named like this, with several uppercase letters. The class CadesAsicWriter uses lowercase only, naming the file asicmanifest.xml. For some recipients this is no problem, others expect correct case and will fail. Can we simply change this line in CadesAsicWriter?

When following the instructions for verifying archives at https://github.com/difi/asic, verification fails.

I've attempted to validate own files generated through code as well as the examples used in the source code. Running on a Windows platform.

I get the following error upon validation:

22124:error:2E09A09E:CMS routines:CMS_SignerInfo_verify_content:verification failure:crypto\cms\cms_sd.c:848:
22124:error:2E09D06D:CMS routines:CMS_verify:content verify error:crypto\cms\cms_smime.c:393:

The following procedure was used:

1. Download source code.
2. Run createSampleContainer() in AsicCadesWriterTest method
3. Take the generated file asic-sample-cades-zip and unzip it
4. If not installed, install OPENSSL
5. Open command prompt and navigate to root of unzipped folder
6. Follow instructions for verifying signature using command openssl cms -verify -in META-INF/signature_file_name_here.p7s -inform der -content META-INF/asicmanifest.xml -noverify
7. Validation fails in response with
   22124:error:2E09A09E:CMS routines:CMS_SignerInfo_verify_content:verification failure:crypto\cms\cms_sd.c:848:
   22124:error:2E09D06D:CMS routines:CMS_verify:content verify error:crypto\cms\cms_smime.c:393:

Unsure if it is related to #8 or not.

Hi,

Do you have an estimated release date for the 0.9.3 release? Your change in etsi and xmldsig namespaces will make it easier to work with difi/asic and espd in the same jvm, so we are looking forward to having a release in maven central.

Regards,
Finn

Currently, I did not find a license-file in the repository. According to https://choosealicense.com/no-permission/, that means that no-one may use or copy the code.

I am pretty sure that this is not what you want. Please include a license file.